it has been announced they are closing down ,anyone knows any alternative for this?or any honeypot for openbsd?

Quote:

IMPORTANT: Due to handling semantics of user/kernel memory in concurrent environments, the sysjail tools, in inheriting from systrace(4), are vulnerable to exploitation. Details available here. Many thanks to Robert Watson for discovering these issues! Until these problems have been addressed, we do not recommend using sysjail (or any systrace(4) tools, including systrace(1)) for security purposes. sysjail is no longer maintained.

Unfortunately not, FreeBSD has a more in-depth jail mechanism with kernel support.. but it's quite an extensive modification and very unlikely to be ported easily.

The problem here is that the primary developers of sysjail assumed like many others that systrace was designed for security.. but the man page for it has always warned about a major design flaw for many years.

This doesn't mean that systace can't be useful in controlled situations, it shouldn't have been purged immediately like the NetBSD folks decided to do.

If you try to explain what you require, it may be possible for to you achieve the "security" you desire using traditional (..and/or OpenBSD specific) mechanisms, so please consider telling us a little more about your setup.

I personally don't recommend virtualization or emulation, but assuming this isn't going into production.. it may be an option for you.

iam suprise how friendly the bsd community are,iam new enough in openbsd,this is my first week lol,and haven't been touch even linux for years,so pardon me,my setup are simple,iam gonna use this box as firewall,my connection comes from adsl 2mbps,i planned to divide the bandwidth evenly for 3 people,and if possible qos applied also,but my first priority are bandwidth management,does download manager(flashget,etc) could broke the bsd traffic shaping setup?i was tried using win box with kiddie software like bandwidth limiter,flashget/youtube/streaming easily break the software.

have doing some research so far found these : ht@@p://w@@w.benjaminheckmann.de/how..._altq_v2.7.pdf , great start though but still need more comment from expert like you,and more n00b friendly like me. thx for helping..

i was testing scanning my own test box,supprisingly there is more than 100 port tcp udp opened o_0,how i can fully make this box invisible? i need advice,tips,trick how to execute my plan,including hardening the box,and any other that i may forget

Start with the OpenBSD FAQ. It is the primary "howto" for the user community, and more importantly, the only supported "howto".

In general, avoid Linux documentation; there are similarities but these are two very different OSes. Linux is not OpenBSD. OpenBSD is not Linux. For that matter, OpenBSD is neither FreeBSD nor NetBSD.

Most importantly, be extremely careful of any 3rd party OpenBSD documentation or guides, they are often out-of-date, incomplete, written by newbies, and with unclear scope and configuration limitations.

Bandwidth management (traffic shaping) is handled by OpenBSD's Packet Filter, PF. Start with the PF Users Guide, which is included with the OpenBSD FAQ. The specific chapter is called "Packet Queueing and Prioritization."

OpenBSD is secure by default. The default install has some open TCP and UDP ports, but these are for standard services that have been audited for security implications. Some examples of these: identd, daytime, date. OpenBSD users do not configure the OS to be hidden; such is anathema. The developers believe "security by obscurity is not security at all."

I can relate my experience with one scenerio where limiting access for some users is needed. I use the newish SSH capability to invoke an internal-sftp server in combination with MatchUser directive in sshd_config, forcing the user to use this sftp instance in a chroot. I use this for allowing people access to the web root when we are working together on a web project, but they don't need access outside of the web root or full shell access.

Code:

AllowUser ______
Subsystem sftp internal-sftp
Match User ______
ForceCommand internal-sftp
ChrootDirectory /var/www
# copied note from forum on how to make sure this works:
# This is quite simple really, it’s stat()ing the directory specified for
# “ChrootDirectory” and all its parents up to / and checking that they are:
#
# * owned by root
# * not group or other writable

btw i saw the vid conference by mult about process isolation from http://www.youtube.com/watch?v=JaVnNllZxn4
it was named instproc,but cannt found anywhere?even in ports,any idea when it's gonna be implemented?

At this moment, I cannot connect to the website, but I found the following in Google's cache. Highlights mine:

Quote:

mult is an on-going research project to create a high-performance instance multiplicity system. An instance multiplicity system has a forest of process trees, each rooted at init(8), instead of a single, global tree. Each tree, an instance, has a set of resources isolated from other instances.

mult effects multiplicity by isolating system resource in-kernel. It's implemented as a local branch of the NetBSD and OpenBSD operating systems, specifically as tagged in CVS at netbsd-5-0-RC2 and (waiting for stable RC) OPENBSD_4_4. The local branches are tagged as netbsd-5-0-MULT and OPENBSD_4_4_MULT.

Until otherwise stated, all instructions below focus on the OpenBSD version of mult....

Therefore, it is not yet part of the OS. It may be, one day. It is not yet a port/package, and I doubt it could be, as I believe the extent of changes to the kernel prevent it. (Kernel modules in packages are possible, such as emulators/kqemu, but they must be able to be separate entities. This is not.)